Penetration Testing Services For Securing Your Business

Penetration testing services are intended to provide a comprehensive review of the security of your business systems. This could include infrastructure, web applications, cloud environments and other assets.

Penetration testers simulate real-world attacks against your systems to identify security gaps and potential attack vectors that may be exploited by cyber attacks to cause data breaches, account takeover, and compromised systems.

What Is A Penetration Test

A penetration test is intended to review the security of your business operations and provide a comprehensive report that includes a vulnerability analysis, details of the cyber security risks each vulnerability may pose to your organization, and remediation advice on how each security vulnerability can be resolved.

Penetration testing services are often divided into different categories which can each provide a different level of insight into your organisation’s security.

Black Box Testing Services

A black box penetration test can be considered the viewpoint that any malicious attacker outside the company may begin with.

The penetration testers are provided with no accounts, access, or information and are required to discover as much information about the target system as they can using tools, techniques, and publicly available information.

While this type of test can be useful to determine the most likely vulnerabilities that an external attacker may target, it can often be limited to a surface-level security assessment of your assets, without being able to provide an in-depth analysis.

For example, a web application may present a login page to its users. A Black box penetration test may not be able to identify a vulnerability or compromise an account in the time available for the test.

However, if an account is compromised in the future, or a malicious user already has an account, there may be multiple vulnerabilities beyond the login page which can be targeted to compromise other users and their data.

Grey Box Testing Services

A Grey box penetration test can be a process to account for the limited view a black box test provides.

While still looking for vulnerabilities which can be targeted by an attacker with no prior access, a Grey box test will also be provided with limited information and access to a system, such as a test user account or minimal information about the technologies in use.

Using the additional access and information can be useful for security testing as it allows the penetration tester to conduct a more thorough security analysis of the systems and attempt to identify system-specific vulnerabilities that may impact the technologies that are known to be in use.

This approach can be useful for increasing an organization’s knowledge of the threats their systems may face from a malicious attacker, including from the perspective that an attacker has managed to gain limited access to their system or compromise an existing user account.

While a grey box test does provide greater insight into a systems security vulnerabilities, there may still be gaps in the areas the tester can access, which leaves the potential for additional security flaws to be present.

White Box Testing Services

A White box penetration test provides the most comprehensive form of pen testing, which involves providing a security tester with all the information available for your systems, including authenticated access to administrative interfaces, configuration information, and the source code for your systems.

This approach to security testing can be quite extensive, and due to the amount of information an assessor needs to review, it can also be time-consuming, increasing the potential costs of the assessment.

However, this approach should ideally highlight all the security issues by which your systems may be affected, including information regarding security best practices, improvements to your systems configuration, and weaknesses that may be present within your code base.

How Much Does A Penetration Test Cost

Penetration testing services will often charge a daily rate for the time a qualified security assessor will need to spend on the project.

While some companies do offer set pricing, this may indicate that only a set amount of time will be assigned to your test.

This needs to be considered when planning your assessment as the number of days a penetration test may take can vary based on what systems are included within the security assessment.

For example, a web application test may target a handful of pages that are hosted as part of a blog or target a system that allows for account creation, multiple permission levels, interaction between users and an administration interface for developers.

A simple web application could be tested within a day, while a complex system may take several days or weeks.

Cyber Security Daily Rates

With a daily rate, the price can vary depending on the qualifications and experience of the assessor, the specific company, and the region of the world the company is based in.

Within the UK, an estimated daily rate can be in the region of £1000 per day however this could vary for several reasons which may impact your decisions.

• Cyber security experts, which operate as independent contractors, may charge a cheaper day rate, as they don’t have to account for many of the overheads that a business may incur.
  • However, a contractor may not align with any security certification standards, and so may be limited in scope with the types of tests they can help with.
  • The experience and expertise of independent contractors can also be widely variable, and so it is recommended to review qualifications or a track record of prior projects to provide a level of assurance with the work to be conducted.
• A penetration testing company may charge more for their day rate, as they may maintain a range of business certification standards, vulnerability scanning licences, individual assessor qualifications, as well as employee salaries.

Types Of Penetration Testing Services

A penetration test can often include multiple areas of your business, in an attempt to find security flaws and weaknesses which can allow malicious attacks to gain access to your critical assets.

Penetration testing isn’t strictly limited to any specific type of asset and can vary based upon:

• What assets does your business make use of
• Where your areas of concern are for business security
• The time and budget you can afford to allocate to penetration testing services

While a penetration test isn’t strictly limited to any one specific type of asset, there are some common areas that a penetration test may focus on to identify vulnerabilities that can impact your business.

Web Application Penetration testing

Penetration testing services can target your company’s web applications to review their security posture and identify emerging threats which they may be affected by.

Web applications can often be affected by a range of specific vulnerabilities that are not always identified through vulnerability scanning tools alone and so manual web application penetration testing can provide further insight into the security of your systems, such as those issues detailed within the OWASP Top Ten:

OWASP Top Ten Web Application Security Risks:

• Broken Access Controls
• Cryptographic Failures
• Injection
• Insecure Design
• Security Misconfiguration
• Vulnerable and Outdated Components
• Identification and Authentication Failures
• Software and Data Integrity Failures
• Security Logging and Monitoring Failures
• Server-Side Request Forgery

Infrastructure Penetration Testing

Conducting a penetration test of your network infrastructure will often focus on physical assets, such as laptops, desktops, servers, routers, switches, firewalls, and may focus on:

External network systems

• These types of devices can be targeted directly over the internet by a malicious attacker,

Internal network systems

• These devices will not be directly accessible over the internet but may be targeted through the initial compromise of a user account or device, such as through a Phishing attack.

Depending on the configuration of your assets a range of critical vulnerabilities can impact the operating system, or the software and services running on your devices.

Cloud Penetration Testing

Cloud pen testing can combine several different types of penetration testing services, depending upon what your organization has hosted within a Cloud environment, such as Azure or AWS.

One key difference with any Cloud penetration test is that several unique security weaknesses, misconfigurations, or vulnerabilities can be identified as a result of the Cloud environment that is in use, as there can be several vulnerabilities specific to Cloud-hosted infrastructure.

Where a White box test is also conducted for your Cloud environment, a configuration audit may also be arranged as part of the penetration testing services to ensure that each of the recommended security settings has been enabled for your setup.

CREST Penetration Testing Services

The Council of Registered Ethical Security Testers (CREST) is a non-profit organization focused on raising the standards of cyber security service providers, through qualifications and accreditations.

While CREST does not represent a specific type of penetration test, where companies and individuals hold CREST certifications, it can help provide assurance that the security testing process will follow a set of approved standards.

However, there are multiple forms of CREST-accredited membership available, such as being approved for:

• Penetration Testing Services
• Vulnerability Assessments
• Cyber Security Incident Response Capability
• Security Operations Center

When considering a penetration testing service provider, which is a CREST-accredited member organization, it should be confirmed that their specific type of membership is applicable to the services you are interested in.

The Penetration Testing Process

A penetration test can be divided into different phases, which incorporate the initial planning stages through to the delivery of a security assessment report, as described in the following article.

The different phases of a penetration test include:

Scoping

• When planning a penetration test, it is important to understand:
  • Why the security assessment is taking place, which may include concerns over a particular threat, vulnerability, or compliance-driven factors.
  • What needs to be included in the security assessment, which may include specific devices, IP Addresses, web applications, cloud services, or other areas of your business.
  • What the ideal outcomes of the vulnerability testing include, which can provide guidance on how to structure a penetration testing report to ensure any requirements are fulfilled.

Discovery

• As a penetration test begins, a qualified assessor will review the defined scope and conduct a scanning and discovery phase to identify any accessible devices, services, and content which can then be probed further for different categories of vulnerabilities.

Vulnerability Testing

• After the discovery phase has identified the assets that can be targeted for potential vulnerabilities, a testing phase will begin which iterates through different vulnerability types to identify vulnerabilities and security flaws that may impact the assessed business assets.

Reporting

• The findings of the penetration test will be recorded and reported, adding relevant information such as a description of how each vulnerability impacts your business, as well as its potential impact and risk factors. A summary of the penetration test is likely to be included within this report, to provide an overview of your business’s state of security and provide guidance on areas that are currently secure or that require improvement.

Compliance Assessment And Penetration Testing

There can be multiple reasons why a penetration test may be arranged. These may include

• Concerns over the security of your business
• Requirements or requests from a third party or business partner
• Compliance requirements that are compulsory in order to achieve certification

In many instances, with a compliance assessment, there may only be the need to identify vulnerabilities within your business and ensure you act upon them. This can be the case with ISO 27001 certification, where there is a requirement to identify vulnerabilities.

This requirement can be achieved through vulnerability scanning however, a penetration test is also a suitable method to identify vulnerabilities within your business.

Other compliance standards, such as Cyber Essentials Plus, include an element of vulnerability scanning as part of the certification process. However, conducting a penetration test before certification can be a useful method to highlight any vulnerabilities that may impact your systems and provide an opportunity to resolve vulnerabilities before your certification assessment.

Vulnerability Scanning And Penetration Testing

Vulnerability Scanning Tools

Vulnerability Scanning and Penetration Testing should be considered as separate types of assessment, however a penetration test will typically include a vulnerability scan.

• With Vulnerability Scanning, an automated tool is used to identify vulnerabilities within target systems. This may be individual devices, web applications or cloud-hosted services.
• The results of this automated scanning tool can then be used to automatically generate a report, which lists each of the vulnerabilities that were identified.
• The overall process with vulnerability scanning can be quite quick and efficient and since there is little or no involvement from a trained security consultant, scanning can also be cost-effective, allowing for regular and repeat scans conducted throughout the year to highlight any newly identified vulnerabilities.

Limitations of Vulnerability Scanning

Although it is encouraged to conduct regular vulnerability scans, there are several drawbacks to automated scanning tools that should be considered.

• Automated testing and scanning tools are not perfect, and can produce a false positive or a false negative.
  • With a false positive, the vulnerability scanner may identify vulnerabilities that do not affect your company’s systems. This can result in lost time and resources to identify the false positive and conclude your business is not vulnerable.
  • A false negative can occur when a vulnerability scanner does not identify a vulnerability that your company is affected by. This can lead to a false sense of security and an unresolved vulnerability which may be targeted by real world attacks.
• Vulnerability Scanners can often have missing context with the vulnerabilities they report, which alters the potential impact of a vulnerability and can affect how your company may prioritize a remediation strategy. Vulnerabilities can have different impacts on different companies, depending on factors, such as:
  • Connected devices and systems,
  • Enabled or disabled services a vulnerability may be dependent on
  • Whether the impacted system is internet-facing
• Scanning tools have limitations with the types of vulnerabilities they identify. Unlike false negatives, where vulnerabilities are missed, scanning tools have additional limits with entire categories of vulnerabilities, which the scanning tools are not capable of identifying.

Penetration Testing Services

A penetration test is intended to conduct a more thorough assessment than a vulnerability scanning tool alone, although a penetration test will often incorporate multiple vulnerability scanning tools as part of the discovery and vulnerability identification process.

Penetration testing services aim to manually review the security of your assets to resolve all of the weaknesses within vulnerability scanning tools and highlight and contextualize each vulnerability your systems may be impacted by.

While a penetration test, is a more comprehensive security assessment, it also comes with an increased cost, due to the amount of time required for a qualified assessor to review your systems.

Due to this increased cost, it is always recommended to balance your companies security with regular cost effective vulnerability scans, and more infrequent manual penetration testing.

Conclusion

Penetration testing is an important element for a business to maintain cyber security and reduce the risk of cyber threats impacting their systems.

While there can be a cost involved with regular penetration tests, it is important to maintain a balance between frequent vulnerability scans, which can be cost-effective, and regular penetration testing services to uncover vulnerabilities threatening the security of your organization’s assets.

For some cost effective methods to ensure regular a regular security review, Cyber Essentials Plus certification includes both a security audit of your company as well as a vulnerability assessment of your external and internal infrastructure.

While there can be some additional security considerations, such as web applications to consider, Cyber Essentials Plus can provide a broad level of coverage for many small businesses that are looking to reduce pen test costs.

Where you have any further questions regarding different cybersecurity solutions, or the Cyber Essentials Plus certification program our consultants are available to address any concerns you may have.